Hackers Focusing on Small & Medium-Sized Practices

by | Jul 28, 2021

During the past twelve months, the number of recorded ransomware attacks against healthcare organizations – particularly small and medium sized practices – has increased significantly. Security experts believe the increase in recorded ransomware attacks is attributable to healthcare organizations being more vulnerable during the COVID-19 pandemic as well as cybercriminals stepping up their attacks on the healthcare sector.

Large healthcare organizations, while certainly valuable targets for cybercriminals, are not the easiest targets to attack due to the considerable resources they invest in cybersecurity. Infiltrating the networks of larger organizations can prove complicated and time consuming; whereas small- and medium-sized practices do not have the same amount of money to invest in cybersecurity, but they still hold significant amounts of sensitive data.

Along with less investment in physical cybersecurity, smaller practices have in the past been guilty of neglecting staff HIPAA training due to HHS´ enforcement actions being focused on larger organizations. It may also be the case small- and medium-sized practices do not consider themselves attractive targets for cybercriminals, therefore neglect security and training, which makes them an easier target for cybercriminals.

Cyberattacks on Small- & Medium-Sized Healthcare Practices Increasing

A recently published report by the CTI League highlighted the main emerging threats in the healthcare sector. In the last quarter of 2020, experts discovered a significant rise in cyberattacks on the healthcare industry. The report stated: “From October to December, the CTI League observed a dramatic uptick in focused attacks against healthcare entities, particularly small- and medium-sized hospitals and clinics, which impacted clinical workflows at hundreds of healthcare providers.”

Ransomware response company Coveware also produced data (see graph below) which demonstrates the extent to which attacks are conducted on small- and medium-sized healthcare organizations. Coveware recently reported:

  • Nearly 70% of ransomware attacks were targeted on healthcare organizations with fewer than 1,000 employees.
  • During Q4 2020, 65.9% of these attacks were on small (30.2%) and medium (35.7%) sized practices.
  • While Ryuk and Sodinokibi ransomware attacks focus on large enterprises, the Dharma, Snitch, and Netwalker ransomware campaigns focused firmly on small- to medium-sized practices.

Q4, 2020 Ransomware Attacks. Source: Coveware

The access controls typically implemented by small-and medium-sized organizations are frequently not as robust as those used by larger organizations, which makes it easier for cybercriminals to infiltrate networks and databases. Smaller healthcare organizations are also less likely to have dependable backup systems and conduct HIPAA training for staff that covers all of the main attack vectors.

Without an effective backup system, it may not be possible to restore compromised systems and recover data without paying the ransom. Even when backups exist, they may not allow systems and data to be easily restored, especially if the backups have not been tested to make sure file recovery is possible. Attacks on smaller healthcare organizations can also be more severe, as cybersecurity best practices such as network segmentation may not have been implemented. Security information and event management (SIEM) systems are also less likely to be in place, which makes it harder to rapidly identify and contain a breach.

What Steps Can Small- & Medium Sized Healthcare Practices Take to Stop Cyberattacks?

Identifying the correct types of cybersecurity measures to implement in order to stop cyber threat actors from infiltrating your network is not a straightforward task. It is often better to start with a range of small changes which will enhance your security posture and build out from there. Here we have listed some measures you can implement to tackle phishing, RDP compromises, ransomware attacks, and to train the workforce how to recognize and avoid threats:

  1. Multi-factor authentication: Multi-factor authentication is an important cybersecurity measure that acts as a failsafe in case credentials are compromised. If credentials are stolen in a phishing attack or are otherwise compromised, access to an account will be blocked unless a second authentication factor is provided. Microsoft reports that MFA will block more than 99.9% of attacks on accounts.
  2. Phishing: Phishing is a leading cause of healthcare data breaches. Phishing emails are used to steal credentials and distribute malware and ransomware. You should implement a password policy that requires strong passwords for all accounts and 2-factor/multi-factor authentication should be implemented on all email accounts. The workforce must be trained how to recognize phishing emails. Also consider conducting phishing simulation exercises to reinforce training and to test the effectiveness of the training program. Employees who fail phishing simulations can be provided with further training.
  3. RDP compromise: Disable Internet-facing RDP if possible. If not possible, do not allow direct connections over the Internet. Encore a VPN is used. Enforce the use of strong passwords and configure multi-factor authentication. Disallow external connections to local machines on port 3389 and other RDP ports at the perimeter firewall.
  4. Vulnerability management: Vulnerabilities and threats to ePHI must be managed and reduced to an acceptable level. It is therefore essential to keep on top of patching and software updates. Vulnerabilities in software and operating systems are often exploited to gain access to healthcare networks. Patching should be prioritized, with the most serious vulnerabilities addressed first. If patches cannot be implemented, workarounds and other mitigations should be implemented. Legacy systems that cannot be patched should be isolated and never exposed to the Internet.
  5. Data encryption: Encryption of data at rest and in transit is an addressable requirement of the HIPAA Security Rule. Encryption should be implemented unless an alternative measure can be implemented that provides an equivalent level of protection. Encryption should be used on all portable electronic devices, but also consider encrypting data on the network. In the event of a ransomware or malware infection, or a network compromise, ePHI will be protected.
  6. Network segmentation: You should assume that your perimeter defenses will be breached. You should therefore segment your network to ensure that access cannot be gained to all systems. Network segmentation involves separating the network into different subnets, with each acting as its own small network. This can greatly reduce the severity of a cyberattack.
  7. Security awareness training: Conduct employee security awareness training to educate your workforce about cyber threats and train them how to identify them. Security awareness training needs to be conducted regularly. A once-a-year training session is no longer adequate. Regular training sessions should be provided. This will help to develop a security culture.


Small- to medium-sized healthcare practices are a prime target for hackers and phishing and ransomware attacks are rife. It may not be possible to invest heavily in cybersecurity measures, but by starting with the basics and implementing cybersecurity best practices, it is possible to significantly improve cybersecurity defenses and make it much harder for cyber threat actors to gain a foothold in the network and steal sensitive data.

The increase in targeted attacks on the healthcare industry, especially on small- and medium-sized healthcare organizations, has made it more important than ever to ensure adequate security measures are in place and employees receive adequate training to help them identify and avoid cyber threats.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy